A BANKING TROJAN THAT STEALS CRYPTO IS TARGETING LATIN AMERICAN USERS

The digital landscape in Latin America is facing a growing threat: banking trojans specifically designed to steal cryptocurrency. 16K subscribers in the CryptoCurrencyClassic community. The unofficial Wild Wild West of r/CryptoCurrency. CryptoCurrency Memes, News andWhile banking trojans have been a persistent menace, particularly targeting Windows users across the region, the emergence of variants focused on cryptocurrency theft marks a significant escalation.These malicious programs are evolving rapidly, employing sophisticated techniques to bypass security measures and pilfer digital assets from unsuspecting victims. crypto markets; eth-bch vs btc; bitcoin price; ethereum price; cardano (ada) price; solana (sol) price; ripple (xrp) price; polkadot (dot) price; dogecoin (doge) price;The impact of these attacks is far-reaching, affecting not just individuals but also financial institutions and the overall trust in the burgeoning crypto market within Latin America.

Imagine the frustration of carefully investing in cryptocurrency, only to have it vanish due to a sneaky piece of malware. Siber g venlik uzmanları, Windows kullanıcılarını hedefleyen bir bankacılık truva atı keşfetti. Bahsi ge en zararlı yazılım, kripto para alıyor. Siber g venlik firması ESET tarafından yayımlanan rapora g re, Mekotio olarak bilinen k t ama lı yazılım, Mart 2025'den beriThis scenario is becoming increasingly common, compelling cybersecurity experts and users alike to take proactive steps to protect their digital wallets.This article delves into the details of these crypto-stealing banking trojans, examining their methods, targets, and, most importantly, how to defend against them. A newly discovered Android remote access trojan (RAT) is targeting 77 banks, cryptocurrency exchanges, and national entities, fraud prevention firm Cleafy warns. Dubbed DroidBot, and active since mid-2025, the RAT has been used in multiple campaigns in Europe, mainly targeting users in France, Italy, Spain, and Turkey.Stay informed, stay vigilant, and let's navigate this evolving threat together.

The Rise of Crypto-Stealing Banking Trojans in Latin America

Latin America has long been a hotbed for banking trojan activity, with notorious malware families like Grandoreiro, Mekotio, and Casbaneiro dominating the threat landscape. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.[BREAK] According to a report published by cybersecurity firm ESET, the malware is known as Mekotio and has been active since approximately March 2025.[BREAK] Threat actors have been continuously upgrading theHowever, recent trends reveal a shift towards targeting cryptocurrency, reflecting the growing popularity and value of digital currencies in the region.This shift presents new challenges for cybersecurity professionals and demands a revised approach to threat detection and prevention.

These Trojans aren’t just randomly targeting computers; they are specifically crafted to identify and exploit users who are engaged in cryptocurrency transactions or storing crypto assets on their devices.This makes it crucial for crypto users in Latin America to understand the risks and implement robust security measures.

Mekotio: A Prime Example of Crypto-Focused Malware

One of the most prominent examples of this trend is the Mekotio trojan.Initially a conventional banking malware targeting traditional financial institutions, Mekotio has undergone significant updates to specifically target cryptocurrency users. Now though, a new version of an Android banking trojan has emerged that, in addition to stealing your passwords, funds from your banking and finance apps and your crypto, has gotten even better atAccording to a report by cybersecurity firm ESET, Mekotio has been active since around March 2025, constantly evolving its capabilities and expanding its range of attack.

Mekotio primarily targets Windows users across Latin America and is known for:

• Stealing cryptocurrency wallet credentials.
• Monitoring user activity related to crypto exchanges.
• Intercepting and modifying transaction data.
• Bypassing security defenses with sophisticated evasion techniques.

The continuous evolution of Mekotio highlights the dynamic nature of these threats and the need for constant vigilance. Observed in early May 2025, these campaigns specifically target users in Colombia, masquerading as official notifications from The Judiciary of Colombia, particularly the Civil Circuit of Bogota. The attacks aim to deliver the notorious banking trojan DCRat, a Malware-as-a-Service (MaaS) tool known for its affordability and widespread use inCybercriminals are actively adapting their tools and tactics to stay ahead of security measures, making it imperative to stay informed about the latest threats.

Grandoreiro: The Re-Emergence and Expansion of a Banking Trojan

The Grandoreiro banking trojan has resurfaced in recent phishing campaigns, targeting users not only in Latin America but also in Europe. A Banking Trojan That Steals Crypto Is Targeting Latin American UsersForcepoint reports that Grandoreiro, active since at least 2015, initially focused on Brazil before expanding its operations to Mexico, Portugal, and Spain.Grandoreiro is a Latin American banking trojan, part of the Delphi-based malware family that includes Mekotio and Vadokrist.It primarily targets Windows machines and is designed to:

• Steal banking credentials.
• Log keystrokes and monitor activity.
• Grant remote access to attackers.
• Bypass security defenses with sandbox evasion.

The re-emergence of Grandoreiro with enhanced sophistication underscores the persistent threat posed by established malware families. In early May 2025, IBM X-Force researchers observed an active phishing campaign targeting Colombian users with fake legal notices. The campaign, attributed to the financially motivated threat actor Hive0131, delivers the DCRat remote access trojan (RAT) via cleverly disguised emails impersonating the Civil Circuit of Bogot Judiciary.The fact that it has expanded beyond its original territory demonstrates the increasing global reach of these cybercriminals. Forcepoint states that the large-scale phishing campaigns use VPS hosting and obfuscation to evade detection. The cybersecurity firm uncovered a Grandoreiro campaign targeting users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies.In early May 2025, campaigns specifically targeted users in Colombia, masquerading as official notifications from The Judiciary of Colombia, particularly the Civil Circuit of Bogota.The attacks aimed to deliver the notorious banking trojan DCRat, a Malware-as-a-Service (MaaS) tool known for its affordability and widespread use.

Phishing Campaigns and Deception Techniques

Cybercriminals are employing increasingly sophisticated phishing campaigns to distribute Grandoreiro and other banking trojans.These campaigns often involve:

• Impersonating legitimate organizations, such as tax agencies or government institutions.
• Using convincing email templates and subject lines to trick users into opening malicious attachments or clicking on infected links.
• Employing techniques like URL obfuscation and VPS hosting to evade detection.

For example, cybersecurity firm Forcepoint uncovered a Grandoreiro campaign targeting users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies.Attackers used Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads for credential theft. Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz). That's according to findings from Trend Micro, which said it recently observed aThese types of attacks highlight the importance of exercising caution when opening emails from unknown senders or clicking on suspicious links.

Zanubis: Targeting Mobile Users in Peru

The threat landscape extends beyond desktop computers, with mobile banking trojans like Zanubis posing a significant risk to users in Latin America.Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of Zanubis targeting users in Peru. A Banking Trojan That Steals Crypto Is Targeting Latin American Users. Share. Tweet. latest CEO of global crypto exchange Silicon Valley Bank BranchesInitially, in 2015, Zanubis mimicked PDF readers or Peruvian government organizations apps; in 2025, it disguises itself as apps of a local company in the energy sector and a local bank.

Mobile banking trojans like Zanubis can:

• Steal credentials from mobile banking apps.
• Intercept SMS messages containing two-factor authentication codes.
• Gain remote access to the infected device.

The increasing sophistication of mobile banking trojans underscores the need for mobile users to be vigilant and adopt robust security practices, such as downloading apps only from official app stores and being cautious about granting permissions to apps.

DCRat and DroidBot: The Rise of Remote Access Trojans (RATs)

Beyond banking trojans, Remote Access Trojans (RATs) are also emerging as a significant threat to financial institutions and cryptocurrency users in Latin America and beyond.IBM X-Force researchers observed an active phishing campaign targeting Colombian users with fake legal notices in early May 2025. Los expertos en seguridad cibern tica advierten sobre una familia de troyanos bancarios que tienen como objetivo a usuarios de Windows en Am rica Latina, pero este troyano se enfoca en robar criptomonedas. Seg n un informe publicado por la empresa de seguridad cibern tica ESET, el malware seThis campaign, attributed to the financially motivated threat actor Hive0131, delivers the DCRat remote access trojan (RAT) via cleverly disguised emails impersonating the Civil Circuit of Bogot Judiciary.

Similarly, Cleafy Labs uncovered DroidBot, a new Android Remote Access Trojan targeting banks, crypto exchanges, and national organizations in Europe and beyond.Active since mid-2025, DroidBot has been used in multiple campaigns, mainly targeting users in France, Italy, Spain, and Turkey.DroidBot operates with dual-channel communication and evolving tactics.

RATs enable attackers to remotely control infected devices, allowing them to:

• Monitor user activity in real-time.
• Steal sensitive information, including login credentials and financial data.
• Deploy additional malware.
• Execute fraudulent transactions.

The Mechanics of Attack: How These Trojans Operate

Understanding how these banking trojans operate is crucial for developing effective defenses. 125/68 Tuesday, Ap Cybersecurity researchers at ThreatFabric have discovered a new Android banking trojan named Crocodilus, which is actively targeting users in Spain and Turkey. Designed to take full control of infected devices, the malware leverages advanced techniques such as remote access, screen recording, and overlay attacks to steal user credentials. Crocodilus disguisesThe typical attack chain involves several stages:

1. Infection: The trojan is delivered to the victim's device, usually through phishing emails, malicious websites, or infected software downloads.
2. Installation: Once executed, the trojan installs itself on the system, often using techniques to evade detection by antivirus software.
3. Data Collection: The trojan begins collecting sensitive information, such as banking credentials, cryptocurrency wallet details, and keystrokes.
4. Communication: The trojan communicates with a command-and-control (C&C) server, sending the stolen data to the attackers.
5. Exfiltration: The attackers use the stolen data to access the victim's bank accounts or cryptocurrency wallets and transfer funds to their own accounts.

Each stage of the attack chain presents opportunities for detection and prevention. The Mekotio trojan went from conventional banking malware one fine-tuned to steal crypto. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies. According to a report published by cybersecurity firm ESET, the malware is known as Mekotio and MoreBy implementing robust security measures at each stage, users can significantly reduce their risk of falling victim to these attacks.

Protecting Yourself: Practical Steps to Mitigate the Risk

While the threat of crypto-stealing banking trojans may seem daunting, there are several practical steps that users can take to protect themselves:

• Be wary of phishing emails: Always scrutinize emails from unknown senders, and avoid clicking on links or opening attachments from suspicious sources. The Mekotio trojan went from conventional banking malware one fine-tuned to steal crypto. Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.Verify the sender's identity by contacting them directly through a known phone number or email address.
• Use strong passwords and enable two-factor authentication (2FA): Strong, unique passwords and 2FA can significantly reduce the risk of unauthorized access to your accounts.
• Keep your software up to date: Regularly update your operating system, antivirus software, and other applications to patch security vulnerabilities.
• Install a reputable antivirus program: A good antivirus program can detect and remove malware before it can cause harm.
• Use a hardware wallet: A hardware wallet stores your cryptocurrency offline, making it much more difficult for attackers to steal your funds.
• Be careful when downloading software: Only download software from trusted sources, such as official websites or app stores. Grandoreiro is a Latin American banking trojan, part of the Delphi-based malware family that includes Mekotio and Vadokrist. It primarily targets Windows machines and is designed to: Steal banking credentials ; Log keystrokes and monitor activity ; Grant remote access to attackers ; Bypass security defenses with sandbox evasionAvoid downloading pirated software or cracks, as these are often bundled with malware.
• Monitor your accounts regularly: Check your bank accounts and cryptocurrency wallets regularly for any suspicious activity. The cybersecurity firm uncovered a Grandoreiro campaign targeting users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies. Attackers use Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads for credential theft.Report any unauthorized transactions immediately.
• Educate yourself: Stay informed about the latest threats and security best practices.The more you know, the better equipped you will be to protect yourself.

The Importance of Cybersecurity Awareness Training

For businesses and organizations, cybersecurity awareness training is crucial. According to a recent study by Group-IB, a ransomware known as ProLock relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paidEmployees need to be trained to recognize and avoid phishing scams, as well as to follow best practices for password management and software updates. Os especialistas em seguran a cibern tica est o alertando sobre uma fam lia de trojans banc rios que visam usu rios de Windows na Am rica Latina, mas essa vers o do trojan se concentra no roubo de criptomoedas.Regular training sessions can help to create a security-conscious culture and reduce the risk of successful attacks.

The Role of Cybersecurity Firms in Combating These Threats

Cybersecurity firms like ESET, Forcepoint, Kaspersky, and Trend Micro play a vital role in combating crypto-stealing banking trojans. A newly spotted banking trojan has been caught leveraging legitimate platforms like YouTube and Pastebin to store its encrypted, remote configuration and commandeer infected Windows systems, making it the latest to join the long list of malware targeting Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.These firms:

• Conduct research to identify new threats and understand how they operate.
• Develop antivirus software and other security tools to detect and remove malware.
• Provide threat intelligence and security advisories to help organizations stay informed about the latest threats.
• Work with law enforcement agencies to investigate and prosecute cybercriminals.

By collaborating with cybersecurity firms, organizations can strengthen their defenses and improve their ability to respond to cyberattacks.

Looking Ahead: The Future of Crypto-Stealing Malware in Latin America

The threat of crypto-stealing malware in Latin America is likely to persist and evolve in the coming years. Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of the Zanubis mobile banking trojan targeting users in Peru. When Zanubis originally emerged in 2025, it mimickedAs cryptocurrency adoption continues to grow, cybercriminals will likely continue to target users in the region. Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of the Zanubis mobile banking trojan targeting users in Peru. When Zanubis originally emerged in 2025, it mimicked PDF readers or Peru government organizations apps, and now in 2025 it disguises itself as two new apps one of a local company in the energy sector and the other of a local bank.We can expect to see:

• Increasingly sophisticated attack techniques.
• A greater focus on mobile devices.
• The emergence of new malware families.
• More targeted attacks against specific individuals and organizations.

To stay ahead of these threats, it is essential to maintain a proactive security posture, continuously monitor the threat landscape, and adapt security measures as needed.

Frequently Asked Questions (FAQ)

What is a banking trojan?

A banking trojan is a type of malware that is designed to steal financial information, such as login credentials, credit card numbers, and bank account details.These trojans typically operate by intercepting user input, such as keystrokes, or by injecting malicious code into banking websites or applications.

How do banking trojans steal cryptocurrency?

Banking trojans can steal cryptocurrency by targeting cryptocurrency wallets, exchanges, and other related applications. Zumanek is a malware categorized as a banking Remote Access Trojan (RAT). It was distributed in October 2025 targeting Latin American banking customers. This malware is distributed through social engineering. In this, cybercriminals use phishing tactics to trick users into downloading and installing Zumanek in their systems without their consent.They may steal login credentials, intercept transaction data, or even replace wallet addresses with those controlled by the attackers.

What are the signs of a banking trojan infection?

Signs of a banking trojan infection may include:

• Slow computer performance.
• Unexpected pop-up windows.
• Changes to your browser settings.
• Suspicious activity in your bank accounts or cryptocurrency wallets.
• Unusual error messages or system crashes.

What should I do if I think I have been infected with a banking trojan?

If you suspect that you have been infected with a banking trojan, you should:

• Run a full system scan with a reputable antivirus program.
• Change all of your passwords, including those for your bank accounts and cryptocurrency wallets.
• Contact your bank and cryptocurrency exchange to report the incident.
• Monitor your accounts for any suspicious activity.

Are Macs also vulnerable to banking trojans?

While Windows is the primary target of most banking trojans, Macs are not immune. Cybercriminals have brought back a notorious threat the Grandoreiro banking trojan with a new level of sophistication. This malware, previously known for targeting banking users, has been re-engineered and is now being deployed in widespread phishing campaigns across Latin America and Europe.Cybercriminals are increasingly targeting macOS with malware, including banking trojans. Cleafy Labs reveals DroidBot, a new Android Remote Access Trojan targeting banks, crypto exchanges, and national organisations in Europe and beyond. Learn how it operates with dual-channel communication and evolving tactics. Read here the full report.Therefore, it is essential for Mac users to also implement robust security measures.

Conclusion: Staying Ahead of the Curve in a Dynamic Threat Landscape

The emergence of banking trojans targeting cryptocurrency users in Latin America represents a significant evolution in the cyber threat landscape.As cybercriminals continue to refine their techniques and expand their reach, it is crucial for individuals, businesses, and organizations to remain vigilant and proactive in their security efforts.By understanding the threats, implementing robust security measures, and staying informed about the latest developments, we can collectively mitigate the risk and protect our digital assets.Key takeaways include the importance of cybersecurity awareness, the need for strong passwords and two-factor authentication, and the value of partnering with cybersecurity firms to stay ahead of the curve.Protecting your digital assets requires constant vigilance and adaptation.Don't wait until you're a victim; take action today!